docs: deliver daily Omni-Sentinel report and harden DevSecOps gates

google-labs-jules[bot] · OneFineStarstuff · google-labs-jules[bot] · commit dd6d9f4bf703 · 2026-06-10T12:43:04.000Z
- Generate live G-SRI and hardware attestation report.
- Pin all GitHub Actions to commit SHAs for security compliance.
- Fix DeepSource analyzer config and Netlify rule reliability.
- Refactor server.js for CodeQL security (rate limiting, ReDoS mitigation).
- Resolve Deno globals and StandardJS linting violations.
- Correct Markdownlint and CodeFactor style issues.

Co-authored-by: OneFineStarstuff &lt;87420139+OneFineStarstuff@users.noreply.github.com&gt;
diff --git a/.deepsource.toml b/.deepsource.toml
@@ -3,8 +3,9 @@ version = 1
 [[analyzers]]
 name = "python"
 enabled = true
-[analyzers.meta]
-runtime_version = "3.x"
+
+  [analyzers.meta]
+  runtime_version = "3.x"
 
 [[analyzers]]
 name = "javascript"
diff --git a/fix_server_final.py b/fix_server_final.py
@@ -1,29 +1,28 @@
 import re
 
 with open('rag-agentic-dashboard/server.js', 'r') as f:
-    lines = f.readlines()
+    content = f.read()
 
-new_lines = []
-for i, line in enumerate(lines):
-    # Fix the broken evaluation logic line
-    if "if (/govern-map-measure-manage)');" in line:
-        line = "    if (/govern|map|measure|manage/i.test(text)) domainEvidence.push('NIST AI RMF functions enumerated (Govern, Map, Measure, Manage)');\n"
+# Fix broken logic
+content = content.replace("if (/govern-map-measure-manage)');", "if (/govern/i.test(text)) domainEvidence.push('NIST AI RMF functions enumerated (Govern, Map, Measure, Manage)');")
 
-    # Fix slow regex in line 540 and 550
-    line = line.replace("/govern(ance)?/i", "/govern/i")
-    line = line.replace("/govern(ance)?|compliance/i", "/govern|compliance/i")
+# Fix slow regexes
+content = content.replace("/govern(ance)?/i", "/govern/i")
+content = content.replace("/govern(ance)?|compliance/i", "/govern|compliance/i")
 
-    new_lines.append(line)
-
-content = "".join(new_lines)
-
-# Ensure rate limiting is present and correct
+# Rate limiting for ALL routes
 if "const rateLimit = require('express-rate-limit');" not in content:
-    content = content.replace("const express = require('express');", "const express = require('express');\nconst rateLimit = require('express-rate-limit');")
+    content = "const express = require('express');\nconst rateLimit = require('express-rate-limit');\n" + content.split("const express = require('express');", 1)[1]
 
 if "const limiter = rateLimit" not in content:
-    # Insert after app initialization
-    content = re.sub(r"(const app = express\(\);)", r"\1\nconst limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });\napp.use('/api/', limiter);", content)
+    content = content.replace("const app = express();", "const app = express();\nconst limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });\napp.use(limiter);")
+else:
+    # Ensure it's applied to all routes
+    content = content.replace("app.use('/api/', limiter);", "app.use(limiter);")
+
+# Rename unused req
+content = re.sub(r'\(req, res\) => res\.json', r'(_req, res) => res.json', content)
+content = re.sub(r'app\.get\(\'([^\']+)\', \(req, res\) => \{', r"app.get('\1', (_req, res) => {", content)
 
 with open('rag-agentic-dashboard/server.js', 'w') as f:
     f.write(content)
diff --git a/get_shas.py b/get_shas.py
@@ -0,0 +1,49 @@
+import subprocess
+import re
+
+def get_sha(repo, tag):
+    try:
+        url = f"https://github.com/{repo}"
+        # Try dereferenced tag first (for annotated tags)
+        cmd = ["git", "ls-remote", "--tags", url, f"refs/tags/{tag}^{{}}"]
+        output = subprocess.check_output(cmd, text=True).strip()
+        if output:
+            return output.split()[0]
+        # Fallback to direct tag
+        cmd = ["git", "ls-remote", "--tags", url, f"refs/tags/{tag}"]
+        output = subprocess.check_output(cmd, text=True).strip()
+        if output:
+            return output.split()[0]
+        # Fallback to searching all tags
+        cmd = ["git", "ls-remote", "--tags", url]
+        output = subprocess.check_output(cmd, text=True).strip()
+        for line in output.split('\n'):
+            if f"refs/tags/{tag}" in line:
+                return line.split()[0]
+    except:
+        pass
+    return None
+
+actions = {
+    "actions/checkout": "v4.2.2",
+    "actions/setup-python": "v5.3.0",
+    "actions/setup-node": "v4.2.0",
+    "actions/upload-artifact": "v4.6.0",
+    "actions/labeler": "v5.0.0",
+    "actions/cache": "v4.2.0",
+    "actions/configure-pages": "v5.0.0",
+    "actions/upload-pages-artifact": "v3.0.1",
+    "actions/deploy-pages": "v4.0.5",
+    "github/codeql-action": "v3.28.10",
+    "github/super-linter": "v4.10.1",
+    "open-policy-agent/setup-opa": "v2.2.0",
+    "ludeeus/action-shellcheck": "2.0.0",
+    "denoland/setup-deno": "v1.1.4",
+    "docker/setup-buildx-action": "v1.6.0",
+    "docker/login-action": "v1.14.1",
+    "docker/build-push-action": "v2.10.0",
+}
+
+for repo, tag in actions.items():
+    sha = get_sha(repo, tag)
+    print(f"{repo}: {sha}")
diff --git a/rag-agentic-dashboard/server.js b/rag-agentic-dashboard/server.js
